📄 Description (English)
Iperius Backup 6.1.0 contains a privilege escalation vulnerability that allows low-privilege users to execute arbitrary programs with elevated privileges by creating backup jobs. Attackers can configure backup jobs to execute malicious batch files or programs before or after backup operations, which run with the privileges of the Iperius Backup Service account (Local System or Administrator), enabling privilege escalation and arbitrary code execution.
🤖 AI Executive Summary
Iperius Backup 6.1.0 contains a critical privilege escalation vulnerability (CVE-2019-25608) allowing low-privilege users to execute arbitrary code with system-level privileges through malicious backup job configurations. The vulnerability exploits the backup service's elevated privileges to run attacker-controlled batch files or programs, enabling complete system compromise. With a CVSS score of 8.4 and no available patch, this poses significant risk to organizations using this backup solution.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 09:21
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations relying on Iperius Backup for critical infrastructure protection face severe risk, particularly: (1) Banking sector (SAMA-regulated institutions) - backup systems protecting financial data and transaction records; (2) Government agencies (NCA oversight) - backup solutions for classified and sensitive government data; (3) Healthcare sector - patient data and medical records backup systems; (4) Energy sector (ARAMCO and utilities) - industrial control system backups; (5) Telecommunications (STC, Mobily) - network infrastructure backups. The lack of available patches creates persistent vulnerability across all affected deployments.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Critical Infrastructure
Enterprise IT Services
🎯 MITRE ATT&CK Techniques
T1548.002 - Abuse Elevation Control Mechanism (Bypass User Account Control)
T1548.004 - Abuse Elevation Control Mechanism (Elevated Execution with Prompt)
T1053.005 - Scheduled Task/Job (Backup Job Scheduling)
T1059.003 - Command and Scripting Interpreter (Windows Command Shell)
T1059.001 - Command and Scripting Interpreter (PowerShell)
T1543.003 - Create or Modify System Process (Windows Service Exploitation)
T1547.001 - Boot or Logon Autostart Execution (Persistence via Backup Jobs)
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all Iperius Backup 6.1.0 installations across the organization
2. Restrict backup job creation permissions to trusted administrators only
3. Implement strict access controls limiting who can configure backup jobs
4. Disable pre/post-backup script execution if not required for operations
5. Monitor backup job configurations for suspicious or unauthorized modifications
COMPENSATING CONTROLS:
1. Run Iperius Backup Service with minimal required privileges (not Local System/Administrator if possible)
2. Implement application whitelisting to prevent unauthorized executable execution
3. Deploy file integrity monitoring on backup job configuration files
4. Use Windows AppLocker or equivalent to restrict script execution
5. Enable detailed audit logging for backup job creation and modification events
6. Implement network segmentation isolating backup infrastructure
DETECTION RULES:
1. Monitor Windows Event Logs for backup job creation/modification by non-administrative users
2. Alert on execution of batch files or scripts from backup service account context
3. Track registry modifications related to Iperius Backup configuration
4. Monitor for suspicious process spawning from backup service processes
5. Implement SIEM rules detecting privilege escalation patterns
LONG-TERM:
1. Evaluate alternative backup solutions with better security posture
2. Plan migration away from Iperius Backup 6.1.0 to patched or alternative solutions
3. Implement zero-trust principles for backup infrastructure access
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع تثبيتات Iperius Backup 6.1.0 في المنظمة
2. تقييد صلاحيات إنشاء مهام النسخ الاحتياطي للمسؤولين الموثوقين فقط
3. تطبيق ضوابط وصول صارمة تحد من يمكنه تكوين مهام النسخ الاحتياطي
4. تعطيل تنفيذ البرامج النصية قبل/بعد النسخ الاحتياطي إذا لم تكن مطلوبة
5. مراقبة تكوينات مهام النسخ الاحتياطي للتعديلات المريبة أو غير المصرح بها
الضوابط التعويضية:
1. تشغيل خدمة Iperius Backup بأقل امتيازات مطلوبة (وليس Local System/Administrator إن أمكن)
2. تطبيق قائمة بيضاء للتطبيقات لمنع تنفيذ ملفات قابلة للتنفيذ غير مصرح بها
3. نشر مراقبة سلامة الملفات على ملفات تكوين مهام النسخ الاحتياطي
4. استخدام Windows AppLocker أو ما يعادله لتقييد تنفيذ البرامج النصية
5. تفعيل تسجيل التدقيق التفصيلي لأحداث إنشاء وتعديل مهام النسخ الاحتياطي
6. تطبيق تقسيم الشبكة لعزل البنية التحتية للنسخ الاحتياطي
قواعد الكشف:
1. مراقبة سجلات أحداث Windows لإنشاء/تعديل مهام النسخ الاحتياطي من قبل المستخدمين غير الإداريين
2. التنبيه على تنفيذ ملفات دفعية أو برامج نصية من سياق حساب خدمة النسخ الاحتياطي
3. تتبع تعديلات السجل المتعلقة بتكوين Iperius Backup
4. مراقبة عمليات مريبة تنبثق من عمليات خدمة النسخ الاحتياطي
5. تطبيق قواعد SIEM للكشف عن أنماط تصعيد الامتيازات
المدى الطويل:
1. تقييم حلول النسخ الاحتياطي البديلة بموقف أمني أفضل
2. التخطيط للهجرة بعيداً عن Iperius Backup 6.1.0 إلى حلول معدلة أو بديلة
3. تطبيق مبادئ الثقة الصفرية لوصول البنية التحتية للنسخ الاحتياطي
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies (privilege escalation prevention)
ECC 2024 A.5.2.1 - User Registration and De-registration (access management)
ECC 2024 A.5.3.1 - Access Rights Review (periodic review of backup job permissions)
ECC 2024 A.8.2.1 - User Awareness and Training (backup security practices)
ECC 2024 A.12.4.1 - Event Logging (backup job modification audit trails)
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management (inventory backup systems)
SAMA CSF PR.AC-1 - Access Control Policy (restrict backup job creation)
SAMA CSF PR.AC-4 - Access Rights Management (principle of least privilege)
SAMA CSF DE.CM-1 - System Monitoring (detect unauthorized backup modifications)
SAMA CSF DE.AE-1 - Anomalies and Events (privilege escalation detection)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - Information Security Policies (backup security policy)
ISO 27001:2022 A.6.2 - Internal Organization (access control responsibilities)
ISO 27001:2022 A.8.1 - User Endpoint Devices (backup client security)
ISO 27001:2022 A.8.3 - Removable Media (backup media protection)
ISO 27001:2022 A.9.2 - User Access Management (privilege escalation prevention)
ISO 27001:2022 A.12.4 - Logging (audit trail of backup operations)
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Default Security Parameters (backup system hardening)
PCI DSS 7.1 - Access Control Implementation (restrict backup job creation)
PCI DSS 8.1 - User Identification (backup administrator authentication)
PCI DSS 10.2 - User Actions Logging (backup job modification audit logs)
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://www.exploit-db.com/exploits/46863
disclosure@vulncheck.com
https://www.iperiusbackup.com/
disclosure@vulncheck.com
https://www.iperiusbackup.com/download.aspx
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/iperius-backup-privilege-escalation-via-backup-job
disclosure@vulncheck.com